Notification for Firewall Matches

netmaxters · March 24, 2026, 5:03pm

Edit:- As pointed out by @biki73 in is reply below, this entire thing is not required in new versions of routeros which has built in logging action target to script. Thanks biki73

Hello,
I would like to share small tool i developed for getting notification when a specific firewall rule matched.
this setup makes use of remote syslog and firewall logging, so everything happens asynchronously it should not have any significant effect on packet processing.

The basic working principal is

a container or machine running simple custom syslog server ( more details follow )
a new system logging action is created to send logs to custom syslog server
firewall rules are created to match required packet with Logging enabled with appropriate Log Prefix
a new system logging rule is created to send firewall logs filtered by LogPrefix as RegEx to logging action created in step 2
custom syslog server will send notification with syslog message

If your are already using remote syslog with your router and log collector like splunk probably you already have better options for notifications, this is for small setup at my home, where i am not running a full log collector stack

I have written syslog server in go source available at github . currently it only supports gotify notifications, if you need any other notification channel please let me know. I have docker image as well in both ghcr and dockerhub

docker pull netmaxt3r/sys-notify:latest

docker pull ghcr.io/netmaxt3r/sys-notify:latest

Here is my setup

container app

with two environment variables from docker image

GOTIFY_URL: base url for gotify server (without /message just https://notify.mydomain.com)
GOTIFY_TOKEN: gotify app token for router notifications

new logging action

system > Logging > Action

Note:- remote address is my container ip from veth interface

Firewall rule with logging

In my case it rejection rule based on Crowdsec blacklist hence my prefix is “CROWDSEC”

New Logging Rule

System > logging > Rule

I used same prefix as regex filter to filter only my crowdsec rule

when ever a packet is matched i get notification on my gotify

biki73 · March 24, 2026, 5:46pm

or you could set it up directly on mikrotik without overengineering.

netmaxters · March 24, 2026, 6:25pm

i know script looping over logs by schedule, but it is not realtime notification.

could you please let me know how you are doing it?

biki73 · March 24, 2026, 6:31pm

in new wersions of routeros (7.22) logging actions have 'mail' and 'script' options

netmaxters · March 24, 2026, 6:40pm

Oh, I didnt know this. Thank you
any idea how to get the contents of log entry inside the script, i couldnt get much info from Log - RouterOS - MikroTik Documentation

biki73 · March 24, 2026, 6:43pm

$message

netmaxters · March 24, 2026, 6:47pm

Thank you it worked very well